The Attribution Revolution

The Obama-Xi summit in Sunnylands ended without any Chinese concessions on cyber-espionage. This came as no surprise; cyber spying has been an indispensable accelerant for China’s military and economic rise. And though Beijing may someday agree that international law governs cyberspace, that won’t help the victims of espionage, which is not regulated by international law. So if negotiation won’t work, what will? Not a strategy that relies entirely on defense. That’s like trying to end street crime by requiring pedestrians to wear body armor.

The good news is that there has been a revolution in our ability to identify cyberspies. It turns out that the same human flaws that make it nearly impossible to completely secure our networks are at work in our attackers too. And, in the end, those flaws will compromise the anonymity of cyberspies.

Call it Baker’s Law: "Our security sucks. But so does theirs."

As numerous recent reports show, attackers are only human. They make mistakes when they’re in a hurry or overconfident. They leave bits of code behind on abandoned command-and-control computers. They reuse passwords, email addresses, and physical computers. Their remote access tools are full of vulnerabilities. These are openings that we can exploit to trace cyberattacks first to the command and control computers used to carry them out, then to the homes and offices of the hackers that perpetrate them and then, hopefully someday soon, to the customers that sponsor them.

But attribution is only half the battle if we want to deter cyber-espionage. The other half is retribution. Once we identify the attackers, we need to persuade them to choose another line of work. If we’re serious about stopping cyberespionage, there are plenty of tools at our disposal:

1. Expose and isolate nations

Naming and shaming is a commonly used method of deterring bad conduct by other nations. The U.S. may be reticent about releasing hard won intelligence about the activities of foreign governments. But some of the most explosive — and convincing — recent allegations against foreign governments have in fact been made by private entities. A report released earlier this year by a company called Mandiant offered extensive evidence of the People’s Liberation Army’s role in hacking into U.S. companies over a number of years. The report placed an embarrassing spotlight on state-sponsored hacking in China and sparked bitter but unconvincing denials from the Chinese government.

Of course, it’s not clear that embarrassment alone will stop countries like China or Iran from supporting cyberattacks against U.S. companies and agencies. But it’s a start. It raises the cost of what has been a relatively low-risk, asymmetric strategy. And it sets the stage for further action in the future.

China may seek to do some naming and shaming of its own, of course. It claims to have "mountains of data" about U.S. cyber spying. Perhaps so. But the United States already does a pretty good job of exposing its own secret cyber exploits, so it’s unlikely that the world will learn much from the Chinese effort. Perhaps more importantly, neutral exposure is an asymmetric tactic that helps the United States. Our intelligence is focused on government, not commercial targets. The more the world learns about the two nations’ approach, the more its concern is likely to center on China, not the United States.

2. Sanctions for spies

The U.S. government may not be able to reach hackers located on the other side of the world. And even if we could catch them, we might not want to risk compromising intelligence sources and methods by taking them to court. But that does not mean the United States cannot punish them. The government already uses classified information to label terrorist supporters and drug kingpins as "specially designated nationals" and to impose sanctions on them — seizing their bank accounts and assets, for example, and prohibiting U.S. citizens from doing business with them. The United States even has such programs for sanctioning Belarusian kleptocrats and conflict diamond purveyors. Maybe it makes sense for Washington to use sanctions to punish misdeeds in Belarus or West Africa, but shouldn’t it first use these measures to punish people who are invading homes and offices in, you know, the United States?

It’s unclear why the president hasn’t done this already — he’s already got all the authority he needs to impose sanctions on cyber spies and their enablers. Under the International Emergency Economic Powers Act, the president could determine that cyber spying poses "an unusual and extraordinary threat" to the United States and declare it a "national emergency." He could then publish a list of hackers who would be subject to sanctions. In keeping with past practice, he could rely heavily on classified data to make the designations — without disclosing any of it.

3. Prison break meets prisoner’s dilemma

Sometimes carrots work better than sticks, and visas can certainly play that role as well.

The Justice Department is authorized to issue up to 250 "S" visas each year to foreign nationals "in possession of critical reliable information concerning a criminal organization or enterprise." The visa allows family members to enter as well, and it becomes a permanent residency if the witness’s "information has substantially contributed to the success of an authorized criminal investigation."

Systematically hacking U.S. companies and agencies surely constitutes a criminal enterprise under domestic law, and even an investigation can be deemed a success without leading to a criminal conviction. If a witness’s cooperation helps us to thwart other countries’ cyber spying campaigns, that surely counts as a success.

So under current law, the Justice Department could send text messages to all the guys who’ve already been identified as Chinese hackers, saying: "The first one of you who shows up at a U.S. consulate with a flash drive full of your employer’s data will get an S visa and $1 million. The second one will get an S visa and $100,000. The third will get an S visa and $10,000. And the rest of you will be indicted with the evidence supplied by the first three."

4. Deny visas to enablers

On the flip side, the U.S. government has the power to deny visas and other perks to entities that act as enablers to hackers.

For example, late last year Trend Micro released a report that unmasked "Luckycat," a Chinese hacker who had attacked the Dalai Lama, U.S. aerospace firms, and other targets. His real name was Gu Kaiyuan, formerly a student at Sichuan University’s Information Security Institute and at least at the time an employee at a major Chinese Internet company. Now it may be that the U.S. government can’t do much to reach Mr. Gu in China, but why haven’t the officials investigating those intrusions gone to his employer and his alma mater and asked them to cooperate in the investigation? Unlike Mr. Gu, those institutions need to maintain good relations with the United States government. Sooner or later, every Chinese university wants its students and faculty to get visas to work and study in the United States. And every Chinese company that does business here is subject to U.S. investigative authority. They have many reasons to cooperate, particularly if the government has evidence that they may have condoned or enabled cyberspying. At a minimum, taking a hard look at these institutions will make them think twice before they support or turn a blind eye to hackers in their midst.

5. Criminal and civil suits for final customers

But punishing individual hackers is
only part of the story. What if the United States applied all of these measures not just to the hackers themselves but to companies that benefit from the data they filch from U.S. networks? There’s no difference in criminal responsibility between a thief and the customer he’s stealing for. But there could be all the difference in the world between hackers who do their work from the safe environs of a protective government and the hackers’ customers, who can’t be truly successful in today’s world if they aren’t part of the global marketplace. And going global means exposing their companies, executives, and assets to the legal systems of the United States, Europe, and a host of other countries that are furious at the wholesale espionage aimed at their companies. If a few big companies in China find that having a cozy relationship with hackers means criminal prosecutions and asset seizures, they’re a lot more likely to say "Thanks, but no thanks" to offers of stolen data.

Of course, to bring those cases, the government will have to have those companies dead to rights, and so far it doesn’t. U.S. security researchers have done a great job of tracking the thieves back home. But they’ve had trouble identifying the companies who ultimately benefit from cyberspying.

That too is an attribution problem — the next one we have to solve if we want to really discourage commercial cyber-espionage. It will be difficult, but no harder than the first attribution problem looked five years ago. Given the stakes, improving cyber-attribution should be at the top of U.S. intelligence priorities. And now that private researchers have demonstrated how much attribution can be accomplished without all the resources and authorities of the CIA and NSA, those agencies should be embarrassed by their poor record to date. And they may not have much time before someone — Iran, North Korea, Hezbollah — causes a power outage or other control system failure in the United States. If they can’t tell the president who did that, the heads of those agencies will be looking for new jobs. As part of the attribution effort the United States needs for defense, it shouldn’t be that hard to identify the customers who benefit from cyber-espionage.

* * *

While the technical challenges remain with U.S. intelligence and law enforcement agencies, there have nonetheless in recent months been hopeful signs from an unexpected place: Congress. Of course, past legislative efforts aimed at improving our passive cyber-defenses (e.g., regulating critical infrastructure security, information sharing) have struggled to take off. Business groups have resisted measures that might result in more regulation, and privacy groups have opposed measures that might weaken protection of personal data. But the political calculus may be different when it comes to imposing pain on the hackers themselves. In recent months, the Hill has been buzzing with new ideas for identifying and punishing cyberspies and the companies that benefit from them.

At a recent hearing before the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism, I testified about some of these ideas. Senators Sheldon Whitehouse (D-RI) and Lindsey Graham (R-SC) expressed particular interest in measures to impose sanctions on countries that support hackers as well as potential visa restrictions.

Another example is the Deter Cyber Theft Act (S. 884), which has been sponsored by a bipartisan group of senators, that includes Senators Carl Levin (D-MI), John McCain (R-AZ), Tom Coburn (R-OK), and Jay Rockefeller (D-WV). This bill would require intelligence agencies to annually report to Congress on countries and entities that engage in cyber-espionage as well as to identify intellectual property that has been stolen as a result of hacking. It further permits the president to prevent the importation into the United States of products that are linked to foreign cyber-espionage activities, such as articles that have been manufactured using stolen IP or that have been produced by companies that have benefited from it. In short, the bill would nudge the government towards broader attribution, greater naming and shaming, and some efforts to deny companies the fruits of using stolen information.

If these measures result in the punishment of Chinese companies, there is no doubt but that China will seek to reciprocate. But once again, asymmetry is likely to complicate their task. U.S. intelligence agencies do not steal commercial secrets for U.S. companies so it will be hard for China to mirror these measures without faking the evidence. In short, a focus on the beneficiaries of commercial espionage could cause real pain for cyber spies and their customers. With luck, this may allow us to add a corollary to Baker’s Law about cyberspies: Not only does their security suck, but maybe soon it will suck to be them.